[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: re. name cert meaning


At 10:20 AM 2/13/98 -0800, Curtis Yarvin wrote:
>> At 01:46 PM 1/25/98 -0700, Bryan Ford wrote:
>> >Basically, as Curtis said, a name cert is really just a statement
>> >that "principal Y is hereby authorized to use name X in my namespace."
>> to nit pick:
>> I believe the SDSI name is better defined as "X is a label by which I (the 
>> issuer) refer to principal Y (or some set of principals $Y_i$)".
>These may be two different things.
>When I said that, I was talking about X.509 naming, not SDSI
>naming.  Obviously, Carl's definition of SDSI naming is
>correct, but X.509 has a different property: it refers to
>names that have fixed meaning in the physical world.
>An SDSI name seems to me more like a pointer, a way of
>describing a keyholder or keyholder set that is more
>convenient than directly including a public key.  Having a
>certain SDSI name is not a privilege in and of itself.
>Being able to claim that you are the person referred to by
>an X.509 name is.

I look at X.509 names as just another formatting for SDSI names.  That is, 
one can form

(name <509-root-key> <CA-name-1> <CA-name-2> ... <leaf-name>)

and some have proposed that X.509 names need to be in that form, in order to 
be completely unambiguous.  That's a SDSI name.

The place where I believe we depart strongly from the X.509 community is 
that we have looked at the idea of a name with a fixed meaning in the 
physical world and found it wanting.  In particular, it just doesn't work -- 
and runs the danger of introducing security flaws.

Of course, anyone can build a globally unique name and we sometimes need 
them.  We have them in SPKI/SDSI -- the public key or its hash.

 - Carl

Version: PGP for Personal Privacy 5.5.3


|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street  PGP 08FF BA05 599B 49D2  23C6 6FFD 36BA D342 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |